Yubikey Neo Teardown and Durability Review

An anonymous reader writes: Folks at HexView (disclaimer: I contract for the company) took apart Yubikey Neo and found out that, while the key uses solid hardware to ensure secure identity management, its physical anti-tamper measures and durability could be improved. The tear-down analysis is short, but to the point, and offers some very nice close-ups of the internals. One example of the design shortcomings they've identified: Contrary to Yubico's claims, Yubikey appears to be quite destructable. Do not push on it when you touch the sensor while the key is plugged in to a USB port. The point where it bends the most happens to be the point where USB vias are located and through which NFC antenna loop goes. To make things worse, the injection molding hole right next to the connector makes this area even more susceptible to bending.

Pretty durable in my real-world use.

[hawkeyeMI]

I have one that I've carried and abused daily for years, still working, though I think it's getting close to needing a replacement. My biggest problem, because I wear it on a necklace chain, is that it's been getting sweat on the contacts which eventually have gunked up and corroded. I was able to scrape it off with a knife, but that scraped off the gold plating and exposed the copper underneath, which is of course corroding much worse. I've got the private key locked away here somewhere so I can flash one of my spares and be up and running quickly, or I can just add the new key to the places I use it before it croaks. I've had more problems with USB ports getting worn out.

Re:Pretty durable in my real-world use.

[pz]

You might try using a pencil eraser next time instead of a knife. Wiping vigorously with an alcohol-saturated paper towel first (and really, any easily obtainable alcohol, whether vodka, rubbing alcohol, etc.) helps, too.

Re:Stupid question: how do you use it?

[qwijibo]

It's a second factor in two factor authentication (2FA) for applications that support it.

The one I find to justify it entirely is LastPass. All of the random sites on the internet that need credentials can have automatically generated passwords that are stored encrypted and I never have to remember them. I just have to remember the LastPass password and have the Yubikey setup with my account. The Yubikey integration requires a LastPass Premium subscription.

Of course, nowadays you can use google authenticator without having a piece of custom hardware or paying for LastPass Premium. But I don't mind supporting good companies with useful products.

Re:Okay, what is it?

[OzPeter]

Agh, wtf is a salad?

Apparently you need some help with understanding something. So here is a helpful link: Word salad

epoxy?

Why didn't they at least pot the thing in epoxy. Sure makes it a lot harder to tamper with.

Tamper evident

[qwijibo]

From TFA: For those interested, FIPS140-2 Level 1 means that a device has at least one standard ("approved") security algorithm or function and Level 2 means that physical design is tamper-evident.

He seems to think little of the product, but it appears to me it meets the requirements just fine. It's obvious that his key was tampered with, and nothing was done to try to extract key data from the device. Basically, he can take one apart, but there's little chance someone's going to take my Yubikey in the middle of the night, duplicate the key data, and put it back without me noticing something is wrong. Sure, the NSA could probably do it, but they can't have the time with listening to everyones grandmas phone calls. =)